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(54) User access system using proxies for accessing a network 



(57) Access system and method for enabling ac- 
cess to a local area network (14) from a client (12), e.g. 
through a publicly accessible network (18). A connec- 
tion between the client (12) and a network server 
(151,152,153) is established not directly but through a 
client proxy means (11) located at the client (12) and a 
proxy server (13) at the local area network (14). The 
connection between the client proxy means (11) at the 
client (12) and a proxy server (13) at the local area net- 



work (14) may be established through a fire wall restrict- 
ing access to the local area network (14) anoVor client 
(12). In establishing the connection, ports of the client 
proxy means (11) at the client side may be mapped in 
multiple steps to the ports of network servers 
(1 51 ,152,153) of the local area network (14). The inven- 
tion allows to execute services as for example ftp, http, 
IMAP and similar at the client side for accessing data or 
services at the local area network side. 
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Description 

FIELD OF THE INVENTION 

[0001] The present Invention relates to an access sys- 
tem and a method for enabling a user to access a local 
area network, e.g. using a public network. 

BACKGROUND OF THE INVENTION 

[0002] Today's public and private communication net- 
works are increasingly used for applications involving 
data transmissions over networks of data processing 
devices. For example, growing numbers of financial 
transactions or access sessions to review, retrieve or 
manipulate data are executed over public networks and 
it is of high importance to prevent access to personal 
data by unauthorized parties and to provide a secure 
data transmission link for executing these transactions. 
However, at the same time it is desirable that an author- 
ized user may conveniently access the service. 
[0003] If a secure transmission line between a client 
and a local area network is available, convenient user 
access is established relatively easy. However, in case 
a local area network is accessible from a remote host 
for example via a public network like the Internet, avoid- 
ing unauthorized access from the public network to the 
local area network generally requires complex security 
measures which may make it difficult for a user to obtain 
convenient access to services available at the local area 
network. 

SUMMARY OF THE INVENTION 

[0004] It is therefore desirable to provide an access 
system and corresponding method for enabling im- 
proved access from a client to a local area network. 
[0005] An access system for enabling a user to ac- 
cess a local area network may comprise client proxy 
means adapted to exchange data with a client data 
processing device and with at least one network server 
of the local area network through a proxy server. Further, 
the access system may comprise connection means for 
establishing a data transmission link between the client 
proxy means and the proxy server, selecting at least one 
of the network servers based on the request, and for 
establishing a communication link between the client 
proxy means and the network server involving the data 
transmission link. 

[0006] According thereto, the client data processing 
device may not directly access a desired one of network 
servers at a local area network, but instead transmits 
the request to client proxy means for further execution. 
The connection means may select a network server for 
serving the request and a data transmission link may be 
established between the client proxy means and a proxy 
server and further, a communication link between the 
client proxy means and the network server may be es- 



tablished via the data transmission link, thus allowing 
the network server to serve the request. 
[0007] Further, the network server may be selected 
based on a port at the client proxy means receiving the 

5 request and/or by information included into the request 
and the communication link between the client proxy 
means and the network server may include a port of the 
client proxy means and a port of the network server. 
[0008] The connection means may be arranged to 

10 generate a list of assignments between at least one port 
of the client proxy means and at least one port of the at 
least one network server and may be arranged for re- 
trieving corresponding mapping rules, the mapping 
rules at least including information on establishing the 

15 data transmission link between the client proxy means 
and the proxy server. The mapping rules may further in- 
clude address information of the at least one network 
server of the local area network. 
[0009] The connection means may comprise first sub- 

20 connection means for mapping at least one port of the 
proxy server to at least one port of the client proxy 
means; second sub-connection means for mapping at 
least one port of the at least one network server to at 
least one port of the proxy server; and wherein the map- 

25 ping is in accordance with the retrieved mapping rules. 
[0010] The data transmission link between the proxy 
server and the client proxy means may involve a secure 
communication via a public network and an authoriza- 
tion procedure for authorizing, may be executed at the 

30 client data processing device, e.g . by a user at the client 
data processing device. The data transmission session 
with the client proxy means may be established through 
a firewall restricting access to the local area network 
from the outside. 

35 [0011] The connection means may comprise means 
for mapping a port of the client proxy means to a port of 
the firewall and means for mapping the port of the fire 
wall to a port of the proxy server. 
[0012] The client data processing device may be part 

40 of a client network and the data transmission link be- 
tween the client proxy means and the proxy server is 
further established through a firewall restricting access 
to the client network from the outside. 
[0013] The proxy server may be located inside a fire- 

45 wall restricting access to the local area network from the 
outside and may be configured to allow access only to 
selected network servers. 

[0014] The client proxy means may be registered as 
a proxy at the client data processing device for execut- 

50 ing an application that is proxy enabled, i.e. allows reg- 
istering a proxy. Further, at the client data processing 
device the name of a network server may be replaced 
by the name of the client proxy means and a specific 
port for an application that is not proxy enabled. 

55 [0015] An access method for enabling a user to ac- 
cess a local area network may include receiving a re- 
quest from a client data processing device at a client 
proxy means, establishing a data transmission link be- 
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tween th cli nt proxy means and a proxy server, deter- 
mining one of the at least one network servers based 
on the request, establishing a communication link be- 
tween the client proxy means and the network server 
involving the data transmission link, and authorizing the 
network server to serve the request. 
[0016] Further advantageous embodiments of the in- 
vention are disclosed in the claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0017] 

Fig. 1 shows a block diagram illustrating elements of 
the system for enabling access to a local area 
network according to an embodiment of the in- 
vention; 

Fig. 2 shows a flow diagram illustrating steps of the 
method according to another embodiment of 
the invention. 

Fig. 3 shows a block diagram illustrating elements of 
the system for enabling access to a local area 
network according to an embodiment of the in- 
vention; 

Fig. 4 shows a flow diagram illustrating steps of the 
method according to another embodiment of 
the invention. 

Fig. 5 shows a flow diagram of a time sequence of 
transmissions according to another embodi- 
ment of the invention; 

Fig. 6 shows a flow diagram of a time sequence of 
transmissions according to another embodi- 
ment of the invention; 

Fig. 7 shows a block diagram illustrating elements 
of the system for enabling access to a local 
area network according to an embodiment of 
the invention; 

Fig. 8 shows a block diagram illustrating elements 
of the system for enabling access to a local 
area network according to an embodiment of 
the invention involving access through afire- 
wall; 

Fig. 9 shows a block diagram illustrating elements 
of the system for enabling access to a local 
area network according to an embodiment of 
the invention involving access through a fire- 
wall; 

Fig. 10 shows a block diagram illustrating elements 
of the system for enabling access to a local 



area network according to an embodiment of 
the invention including a client side network; 

Fig. 11 shows a flow diagram of a time sequence of 
5 transmissions according to another embodi- 

ment of the invention; 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

10 

[0018] In the figures corresponding elements are de- 
noted by corresponding reference numerals. 
[0019] In the following an embodiment of the invention 
will be described with respect to Fig. 1 . Fig. 1 shows a 
is block diagram of an access system for enabling access 
to a local area network according to an embodiment of 
the invention. 

[0020] Fig. 1 illustrates elements of an access system 
including a client proxy means J 1 for exchanging data 

20 with a client data processing device 1 2 via a connection 
111. Further, Fig. 1 shows connection means 1 6 for con- 
necting the client proxy means 11 and a proxy server /1 3 
via a data transmission link 1 8. Still further, Fig. 1 shows 
as three exemplary network servers 151 , 152 and 153 

25 connected to the proxy server 13, e.g. via a communi- 
cation network such as a local area network 14, as illus- 
trated by an arrow 1 41 . 

[0021] The access system of the shown embodiment 
provides, e.g. a user operating the client data process- 

30 ing device 12, improved access to information on the 
network servers 151, 152 and 153 through the client 
proxy means 11 and the proxy server 13, e.g. for re- 
questing services from the network servers such as ob- 
taining data files, starting applications^and similar. 

35 [0022] In the embodiment illustrated in Fig. 1 , the cli- 
ent data processing device 12 does not directly access 
a desired one of the network servers, instead the client 
proxy means 11 executes the request on behalf of the 
client data processing device 12. Upon detecting a re- 

40 quest from the client data processing device, preferably 
the connection means 16 may determine one of the at 
least one network servers based on the request, estab- 
lish the data transmission link 18 between the client 
proxy means 11 and the proxy server 13 and establish 

45 a communication link between the client proxy means 
11 and the network server involving the data transmis- 
sion link. 

[0023] This may be particularly advantageous in case 
a direct communication between the client data 
50 processing device 1 2 and the network servers is not 
possible, e.g. due to access restrictions or similar re- 
stricting access to the local servers and/or the local area 
network 14. 

[0024] In the following the elements of the access sys- 
55 tern of Fig. 1 will be described in further detail. 

[0025] The client data processing device 1 2 may be 
a general purpose data processing device, a mobile ter- 
minal, such as a mobile computer, a mobile phone, a 
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mobile data organizer or similar. The client data 
processing device 12 preferably is equipped with com- 
munication means for communicating with other data 
processing devices, e.g., a modem or similar, and com- 
municates with the client proxy means 11 via a connec- 
tion 111 , which may be a communication link via a ded- 
icated line, via a network or similar, including wireless 
transmission and internal connections, e.g. an internal 
connection in a data processing device. The connection 
111 may be a temporary connection, established on de- 
mand upon generation of a request at the client data 
processing device 1 2, and may be maintained for further 
requests. Requests may for example relate to a retrieval 
of data from the network servers, relate to execution of 
an application at the network servers or similar. 
[0026] The client proxy means 1 1 may be constituted 
by a dedicated data processing device or may be real- 
ized by a code section executed for example at the client 
data processing device 1 2. The client proxy means may 
be located at an arbitrary location, however, it may be 
preferred to locate the client proxy means in close prox- 
imity to the client data processing device, e.g. to ensure 
short communication paths which may be more easily 
protected from unauthorized listening. 
[0027] The client proxy means preferably acts on be- 
half of the client data processing device in executing at 
least some of the requests generated at the client data 
processing device, i.e. the client proxy device may act 
as a proxy for the client data processing device. 
[0028] In general, a proxy is an entity which is author- 
ized to act on behalf of another entity, i.e., to execute 
operations such as communication requests on behalf 
of the requesting entity. As common in network applica- 
tions, a proxy receives, e.g., a request for data from a 
requesting device and retrieves the data on behalf of the 
requesting device. Since in network applications usually 
the destination address as well as the originating ad- 
dress is specified, the proxy preferably includes his own 
address as originating address. Therefore, any request- 
ed data will be transmitted back to the proxy. After re- 
ceiving the requested data the proxy transmits the re- 
quested data to the requesting entity, e.g. a data 
processing device of a user who wishes to access infor- 
mation on a public network such as the Internet. 
[0029] In the present case the client proxy means 1 1 
may be registered as a proxy at the client data process- 
ing device 12 to handle at least some of the requests 
generated at the client data processing device 12, or the 
client data processing device 12 may be configured by 
other means to transmit at least some requests to the 
client proxy means 11 . The client proxy means after re- 
ceiving a request from the client data processing device 
12, retrieves the requested data and then transmits the 
requested data to the client data processing device. 
[0030] The connection means 16 is responsible for 
establishing the required connection between the client 
proxy means and the appropriate network server. The 
connection means 1 6 may be a dedicated data process- 



ing device connectable to the client proxy means 11 or 
may be constituted by a code section executed at a data 
processing device such as the client proxy means 11 
and/or the client data processing device 1 2 or similar. 
5 [0031] In particular, upon reception of a request from 
the client data processing device 12 at the client proxy 
means 11 , the connection means 1 6 may select at least 
one of the network servers for serving the request. The 
selection may for example be based on information in- 
fo eluded into the request, an identifier transmitted in as- 
sociation with the request and/or a particular service or 
service type requested in connection with the request. 
For facilitating a selection, the connection means 16 
may maintain for example information on services avail- 
15 able at the network servers and/or address information 
of the network servers. 

[0032] The selected network server may also be re- 
sponsible for further routing the request, i.e. act as a 
gateway or proxy for further distributing the request to 
20 further network servers. Particularly in case for example 
a plurality of network servers is available for serving a 
particular type of request, the selected network server 
may act as a gateway or proxy for further distributing the 
request. 

25 [0033] The connection means preferably also estab- 
lishes the data transmission link 18 between the client 
proxy means 11 and the proxy server 13, e.g., via a net- 
work such as the Internet and/or via a dedicated com- 
munication line including wireless transmissions. The 

30 data transmission link 1 8 may be referred to as a "tun- 
nel", as it may pass or tunnel elements restricting ac- 
cess to theTocal area network 1 4, such as firewalls etc., 
and may be used to establish a secure connection 
through a publicly accessible network, as outlined with 

35 respect to further embodiments. Establishing the data 
transmission link 18 may involve contacting the proxy 
server 1 3 and the client proxy means 1 1 and negotiating 
a communication protocol between these two devices, 
for example involving a particular method of exchanging 

40 data and/or security measures. The data transmission 
link 18 may be established on demand, e.g. upon re- 
quest from the client proxy means 1 1 , in case the client 
proxy means 11 receives a request for data from the cli- 
ent data processing device 12, or may be established 

45 once at system set-up and then may be maintained 
throughout operation time. The data transmission link 
18 may accommodate a plurality of communication links 
between at least one client and at least one network 
server. 

so [0034] Still further, the connection means 1 6 prefera- 
bly establishes a connection between the client proxy 
means and the selected network server involving the da- 
ta transmission link 1 8. This preferably includes instruct- 
ing the proxy server to connect to the selected network 

55 server. Thus, the communication link will use a trans- 
mission path from the client proxy means 1 1 through the 
proxy server 13 to the selected network server. The par- 
tition of the communication link between the client proxy 
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means and the proxy server will thus use the transmis- 
sion link 1 8 as transmission medium or carrier. The par- 
tition of the communication link from the proxy server to 
the selected network server may be a connection as 
common in network applications involving packet 
switched communication or any other connection and 
may be established on demand through the client proxy 
means 11 upon reception of a request, but may be main- 
tained for further connections involving the same client 
and the same network server and e.g. the same type of 
request. 

[0035] The connection means 1 6 may be realized as 
one or more dedicated data processing devices or by 
code sections executed at e.g. the client proxy means 
and/or the client data processing device. 
[0036] The proxy server 1 3 may be a data processing 
device, for example a data processing device with large 
capacity for serving a large number of client requests. 
The proxy server 13 may act as a proxy, i.e. executes 
requests on behalf of another entity, in the present case 
for example upon request of the client proxy means 11 . 
The proxy server 1 3 is connectable to the network serv- 
ers 151, 152 and 153, as illustrated by an arrow 141. 
The connections may be temporary connections, estab- 
lished e.g. on demand upon generation of a request at 
the client data processing device 12, but may also be 
maintained for further requests. 

[0037] The network servers 1 51 , 1 52 and 1 53 may for 
example be data servers having large capacity for serv- 
ing a large number of client requests and/or for storing 
large amounts of data. Even though only three network 
servers are shown, it is understood that an arbitrary 
number of network servers may be provided inside and 
outside the local area network 14. The proxy server 13 
and the network servers 151 , 152 and 153 are shown 
to be connected via the local area network 1 4, however, 
it is also possible that the proxy server and the network 
servers are connected via dedicated communication 
lines or via a wide area network such as the Internet or 
a combination of networks. Finally, it is possible that 
some of the network servers are part of the local area 
network 1 4, while other network servers are part of other 
networks while being accessible through the proxy serv- 
er 13. 

[0038] The access system of the shown embodiment 
provides improved access for, e.g. a user operating the 
client data processing device 12, to information on the 
network servers 1 51 , 1 52 and 1 53, even if direct access 
to network servers is not possible due to access restric- 
tions at the local area network. Access may be obtained 
from the client data processing device 12 through the 
client proxy means 11 and the proxy server 13, e.g. for 
requesting services from the network servers such as 
obtaining data files, starting applications and similar. 
[0039] In the following a further embodiment of the in- 
vention will be described with respect to Fig. 2. Fig. 2 
shows a flow diagram of a sequence of steps of the 
method according to another embodiment of the inven- 



tion. 

[0040] As the previous embodiment, the steps out- 
lined with respect to this embodiment allow improved 
access to a local area network from a client data 
5 processing device by employing a client proxy means, 
a proxy server and connection means. 
[0041] In a first step S21 a request from a client data 
processing device is received at the client proxy means 
11 . The request may for example be a request for data, 
10 or a request for a particular service, such as the execu- 
tion of an application program or similar. As an example, 
a user operating the client data processing device could 
generate a request concerning the display of a particular 
document at the client data processing device. This re- 
15 quest could be for example generated by entering a par- 
ticular network address specifying a storage location of 
the requested document at the client data processing 
device or by clicking onto a correspondingly marked ar- 
ea on a display associated with the client data process- 
20 ing device 1 2 or could be generated by clicking onto an 
icon on a display associated with the client data 
processing device. The request may contain information 
on a requested document and/or service and may con- 
tain information on the client data processing device 
25 originating the request and similar. 

[0042] In a step S22 for example the connection 
means 16 establishes a data transmission link or "tun- 
nel" between the client proxy means 1 1 and proxy server 
13. This may involve sending a connection request to 
30 the proxy server 13, negotiating communication proto- 
cols, encryption methods, and similar. 
[0043] In a step S23 for example the connection 
means 1 6 may determine one of the at least one network 
servers based on the request from the client data 
35 processing device 12. For example, information on the 
desired network server may be included into the request 
and/or the desired network server may be determined 
based on an identifier transmitted in association with the 
message and/or may be determined based on a type of 
40 request received at the client proxy means 11. For ex- 
ample, in case the request from the client data process- 
ing device 12 includes a request concern ing e-mail serv- 
ices, e.g. the connection means 1 6 determines a net- 
work server providing e-mail services. In case the re- 
45 quest from the client data processing device 1 2 includes 
a request concerning a htm! (hyper text markup lan- 
guage) document, the connection means 1 6 may deter- 
mine a network server providing http (hyper text trans- 
port protocol) services. As common in network applica- 
50 tions, the selected network server may also be a gate- 
way or proxy for further distributing the request. 
[0044] The client proxy means may maintain informa- 
tion on the available network servers and services pro- 
vided by the network servers. 
55 [0045] After an appropriate one of the network servers 
is determined based on the request, in a step S24 a 
communication link between the client proxy means and 
the network server is established via the data transmis- 
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sion link previously stablished between the client proxy 
means and the proxy server. The communication link 
may be a communication link as common in network ap- 
plications involving packet switched transmissions and 
may therefore be a point to point bi-directional connec- 
tion. The communication link between the client proxy 
means and the network server may be established only 
for serving a single request or may be maintained after 
serving the request for further requests, e.g. with similar 
contents. 

[0046] Thereafter, in a step S25 the request is served 
by the network server. Service may include retrieving 
data from the network server through the proxy server 
based on the request and transmitting the data to the 
client data processing device or may include executing 
an application at the network server under control of the 
client data processing device 12. This may involve a bi- 
directional communication between the network server 
and the client data processing device 12 via the estab- 
lished communication link, e.g. for interactively control- 
ling the execution of an application at the network server 
via the client data processing device 12, e.g., for scroll- 
ing through a document or for editing purposes or for 
displaying parts of image data such as a bitmap. Serving 
the request may also include a bitmap protocol or X Win- 
dows protocol or similar. 

[0047] Serving the request may also include further 
distribution of the request to further network servers. 
[0048] it is noted that the sequence of steps outlined 
above may be altered, in particular step S22 may gen- 
erally be executed at any time, for example before step 
S21 or after step S23. 

[0049] In the following a further embodiment of the in- 
vention will be described with respect to Fig. 3. Fig. 3 
shows a block diagram of an access system forenabling 
access to a local area network according to another em- 
bodiment of the invention. 

[0050] Further to the elements of Fig. 1 , Fig. 3 shows 
a browser 121 and an IMAP (Internet message access 
protocol) application 122 running at the client data 
processing device 1 2. The client data processing device 
1 2, the client proxy means 1 1 and the connection means 
16 are arranged at a client side 15, e.g., located at a 
user wishing to access services provided by the system. 
[0051] In the present embodiment the client data 
processing device 1 2 does again not directly access a 
desired one of the network servers, instead the client 
proxy means 11 and the connection means 16 execute 
the request on behalf of the client data processing de- 
vice 12 by determining one of the at least one network 
servers based on the request, establishing the data 
transmission link 18 between the client proxy means 11 
and the proxy server 13 and by establishing a commu- 
nication link between the client proxy means 1 1 and the 
network server involving the data transmission link. 
[0052] The browser 1 21 is connectable via a connec- 
tion 311 to a port 11a of the client proxy means 11 and 
the email application 122 is connectable via a connec- 



tion 312 to a port 11b of the client proxy means 11 . Fur- 
ther, network servers 151 , 152 and 153 are shown hav- 
ing ports 151a, 152a, 152b and 153a, respectively, for 
receiving data from the proxy server via connections 

s 313, 314, 315 and 316. The ports may, e.g. receive 
packets of data. The connections 311 - 31 6 may be tem- 
porary connections, established on demand upon gen- 
eration of a request, but may be maintained operable 
for further requests. Further, the connections 311 - 31 6 

10 preferably allow a bi-directional communication, i.e. da- 
ta can be transmitted in both directions via a connection 
once it is established. 

[0053] The elements at the client side 1 5 and the local 
area network 1 4 are shown as part of a wide area net- 
15 work 17, such as a public network, for example the In- 
ternet or any other network. 

[0054] The client data processing device 1 2 may run 
application programs generating requests for data or 
messages, for example the browser 121 for browsing 

20 information or transmitting data in data communication 
networks. Generally, a browser may be constituted by a 
piece of software which, when run at a client, allows a 
user to browse through a set of data, i.e., a browser is 
a program that may serve as a front end to a network 

25 such as the World Wide Web on the Internet. In this 
case, a user may enter an address of a web site into a 
browser's location field and a corresponding home page 
will be downloaded for local display. Further, the user 
may enter the address and name of a particular docu- 

30 ment, in which case the document will be downloaded 
for display. The downloaded information may, if visual- 
ized, serve as an index to other pages on the web site 
which can be accessed by clicking on for example a 
"click here" message, high-lighted text or an icon on the 

35 screen. 

[0055] Further, the client data processing device 12 
may run an application program as for example the 
IMAP application 1 22, e.g. a mail processing application 
for sending, receiving and handling of e-mail documents 

40 remotely on one of the network servers. 

[0056] Further applications requiring access to the 
network servers may be provided, such as applications 
for remotely controlling the execution of application pro- 
grams at a local server. 

45 [0057] In the present case the client proxy means 11 
handles requests generated at the client data process- 
ing device 12. Thus, requests, e.g. generated by the 
browser 121, will be sent to the client proxy means 11 
for execution. It is possible that all requests generated 

so at the client data processing device 12 are transmitted 
to the client proxy means for further handling. However, 
it is also possible that only selected requests are sent 
to the client proxy means 1 1 , e.g. requests of a particular 
type or generated by a particular application at the client 

55 data processing device 1 2. In this case requests which 
are not transmitted to the client proxy means 1 1 may be 
directly executed at the client data processing device 
12, i.e. these requests may be directly transmitted over 
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a network such as the Internet, as known in the art. 
[0058] The client data processing device 12 and the 
client proxy means 11 in Fig. 3 are illustrated as sepa- 
rate entities and it is to be assured that requests are 
transmitted from the client data processing device to the 
client proxy device. Therefore at the client side 15 
means may be provided for registering the client proxy 
means as a proxy at the client data processing device 
in case the client data processing device executes an 
application, e.g. browser 121 and/or IMAP application 
122, that is proxy-enabled. This assures that the re- 
quests from the client data processing device are sent 
to the client proxy means. Registering the client proxy 
means as a proxy may be accomplished for example by 
entering a network address of the client proxy means at 
the client data processing device. For example, appli- 
cations that are proxy-enabled may provide an option to 
register another device as proxy by entering a network 
address into a specified location on a display. A proxy- 
enabled browser may thus provide means for entering 
an IP-address and a port number for a specific service, 
i.e. communication type requested. Entering the IP-ad- 
dress and the corresponding port number at the client, 
e.g. at the client browser or the mail processing system, 
effects that all requests from the respective applications 
at the client data processing device are transmitted to 
the corresponding port at the client proxy means. In 
case of an http-request, e.g. from browser 121 of the 
client data processing device 12, will be transmitted to 
port 80 of the processing device, e.g. port 1 1 a. Also, any 
IMAP request from the IMAP application 122 will there- 
fore preferably be sent to the processing device to port 
number 143, i.e. port 11b. 

[0059] In case an application is not proxy-enabled, the 
application does not provide means for registering a 
proxy, such as the client proxy means 1 1 , and therefore 
in case an application which is not proxy-enabled is ex- 
ecuted at the client data processing device, e.g. a non 
proxy-enabled browser and/or a non proxy-enabled 
IMAP application, the name of a network server is re- 
placed by the name of the client proxy means and the 
appropriate port. This may be accomplished by a soft- 
ware program run at the client data processing device 
and will effect that requests of an application to the net- 
work servers 151, 152 or 153, will only be sent to the 
client proxy means 11 . 

[0060] The client data processing device 12, i.e. the 
browser 121 and the mail processing application 122 
are connected to the client proxy means 1 1 via connec- 
tion 31 1 for exchanging data. The connections 311,312 
between the client proxy means 11 and the data 
processing device 12 may be a standard packet- 
switched connection or any other connection for ex- 
changing data. In case of packet-switched connections, 
as shown in Fig. 1 , the connection 311 will have a start- 
ing point at the client data processing device 12 and an 
ending point or port at the client proxy means 11 . In the 
shown example the communication path 311 from the 



browser 1 21 ends at a port 1 1 a at the client proxy means 
11, and the connection 312 from the IMAP application 
ends at port 11b at the client proxy means 11 . 
[0061] As common in networks, e.g., in packet orient- 

5 ed networks, each connection is characterized by an or- 
igin and a communication end point. Each communica- 
tion end point is constituted by a port having a specific 
predetermined number and a receiver address, i.e. the 
address of a particular machine. For each communica- 
te tion type a specific port is provided. Common port num- 
bers for standard communication types are port number 
80 for http (hyper text transport protocol), port number 
21 for ftp (file transfer protocol), port number 25 for 
SMTP (Simple Mail Transfer Protocol) and port number 

is 143 for IMAP (Internet Message Access Protocol). 
[0062] Data packets are routed from the originating 
entity to the communication end point. Therefore, a 
packet can be routed to a destination using the IP- (In- 
ternet Protocol) address of the destination device and 

20 an appropriate port number. For example, a selected hy- 
perlink, e.g. selected by clicking on it using a standard 
browser will be translated into an IP-address and a port 
number using a domain name system (DNS). If for ex- 
ample a browser connectable to a network such as the 

25 internet attempts to retrieve an html document from the 
Internet, the corresponding data providing device stor- 
ing the requested document will be addressed using its 
IP-address and further, the http-port, i.e. port number 
80, will be specified. 

30 [0063] In the present embodiment as an example it is 
assumed that port 1 1 a is arranged to receive http re- 
quests from the browser 121, and the port 11b is ar- 
ranged to receive IMAP requests from the IMAP appli- 
cation 122. In this case communication end point 11a 

35 would have a port number 80 and communication end 
point 11b would have a port number 143. However, in 
other examples any other configurations are possible, 
e.g., multiple communication paths from an application 
etc. . 

40 [0064] Further, Fig. 3 shows a proxy server 1 3 for ex- 
changing data with the client proxy means 11 over a 
communication link 1 8 and for exchanging data with the 
network servers, for example as outlined with respect to 
the previous embodiments. Any communication be- 

45 tween the proxy server 1 3 and the network servers 1 51 , 
152 and 153 may for example be realized via the local 
area network 14 involving packet switched transmis- 
sion, however, any other communication type may be 
employed as well, including dedicated communication 

50 lines and wireless transmissions. 

[0065] The proxy server 13 may also be constituted 
by a dedicated data processing device, or may be con- 
stituted by an application program executed on a data 
processing device at the same time used for other pur- 

55 poses. 

[0066] The proxy server 13 includes communication 
starting points 13a and 13b, e.g., for handling requests 
of a certain type. In the present case it is for example 
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assumed that starting point 13a is responsible for http 
requests and that starting point 13b is responsible for 
IMAP application requests. However this is an example 
for illustration purposes, for example only one starting 
point for handling multiple types of request may be pro- 
vided instead. 

[0067] The connection 31 3 between the proxy server 
1 3 and the network server 1 51 starts at the starting point 
13a of the proxy server and ends at a port 151a of the 
local server 1 51 . The connection 31 4 between the proxy 
server and the network server 1 52 runs from the starting 
point 1 3a at the proxy server to a port 1 52a of the local 
server 1 52. The connection 31 5 between the proxy serv- 
er and the network server 1 52 runs from the starting 
point 1 3b of the proxy server to the port 1 52b of the net- 
work server 152. Still further, connection 316 between 
the proxy server 13 and the network server 153 runs 
from starting point 13a of the proxy server to the port 
1 53a of the network server 1 53. 
[0068] In the present case it is for example assumed 
that the ports 1 51 a and 1 52a and 1 53a are ports respon- 
sible for handling http requests, for example for commu- 
nicating with the browser 1 21 at the client data process- 
ing device 12. Further, in the present case it is for ex- 
ample assumed that port 152b is a port responsible for 
handling IMAP requests, for example for communicat- 
ing with the IMAP application 122 at the client data 
processing device 12. Thus ports 151a and 152a and 
153a could be ports corresponding to port 11a at the 
client proxy device 1 1 , and port 1 52b of local server 1 52 
could correspond to port 11b of the client proxy device 
11. 

[0069] In the example of Fig. 3 network servers 1 51 
and 153 only include one port, in the example for han- 
dling HTTP requests, whereas network server 152 
shows two ports, in the example port 1 52a for handling 
HTTP requests and port 152b for handling IMAP map 
requests from. However, this is an example only, the net- 
work servers may have any number of ports and further 
types of ports than the two depicted, for HTTP and IMAP 
may be provided, for example for FTP, SMTP, Gopher, 
etc. Correspondingly, the data processing device 12 
may execute further application programs, for example 
for FTP, SMTP or Gofer. 

[0070] The connection means 1 6 at the client side 1 5 
may be responsible for establishing a data transmission 
link 18 between the client proxy means and the proxy 
server 13 and/or selecting a network server and/or es- 
tablishing the communication link between the proxy 
server and the selected network server. Information, e. 
g., network servers, services, client identities, on com- 
munication protocols, encryption methods, interfaces in 
the transmission path and similar may be maintained in 
a memory accessible by the connection means 16. 
[0071 ] For establishing a data transmission link 1 8 be- 
tween the client proxy means and the proxy server 13 
the connection means may contact the proxy server with 
a connection request. Thereafter a communication pro- 



tocol may be negotiated including encryption methods 
and similar. Preferably the client proxy means 11 main- 
tains information on the configuration of the proxy server 
13 in order to appropriately contact the proxy server. 

5 [0072] The communication link 1 8 may include trans- 
missions through a wide area network 1 7, for example 
a public network such as the internet or may be accom- 
plished by any other network or a dedicated communi- 
cation line, including wireless transmissions. The data 

10 transmission link 1 8 is suited to accommodate a plurality 
of communication links from the client side 15 to the lo- 
cal area network 14. 

[0073] The connection means 16 further selects at 
least one of the network servers 1 51 , 1 52 and 1 53 based 

is on the request received at the client proxy means 1 1 
from the client data processing device 12. Further, the 
connection means may select a port at the selected net- 
work server. To facilitate a selection, the connection 
means 16 may maintain information on the local area 

20 network 1 4, in order to be able to select appropriate net- 
work servers. 

[0074] This may include information on at least one of 
the group consisting of 

25 - network servers available, 

services available on the network servers, i.e. port 
numbers, 

30 - identifiers of users authorized for access. 

[0075] The information on the available network serv- 
ers of the local area network 14 and/or services and/or 
users may be maintained in a database at the client side 
35 15 or any other location. Further, this information could 
for example be retrieved from the local area network 14- 
before serving a request or could be transferred before 
starting an access session. 

[0076] The selection of one of the network servers 

40 and/or a port at one of the network servers may be 
based on a type of request received. For example, if a 
request is received from the IMAP application 122 at 
port 11b at the client proxy means 11, the connection 
means 16 may select an e-mail port on a server at the 

45 local area network 1 4, for example port 1 52b at network 
server 152 for serving the request. This selection may 
be based on information maintained at the connection 
means 1 6 on available network servers and/or services 
available at the network servers. 

so [0077] If for example a request for an html document 
is received at port 1 1 a of the client proxy means 1 1 from 
the browser 121 , the connection means 1 6 may select 
a corresponding port one of the network servers provid- 
ing HTTP services, such as for example ports 151a, 

55 152a, 153a of network servers 151, 152 and 153. 

[0078] In case a plurality of network servers is avail- 
able for serving the request, the connection means 1 6 
may select one of the available network servers based 
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on information maintained at the connection means 16, 
which act as a gat way or proxy for the corresponding 
type of request and may then distribute the request 
based further information included in the request, e.g. 
an URL of a particular document desired, as known in 
the art. 

[0079] Further, it is possible to transmit this request 
to a dedicated site at the local area network 14 for ana- 
lyzing the request and handling further distribution of the 
request to an appropriate network server, e.g., based 
on a URL contained in the request and/or a further iden- 
tifier contained in the request such as a user identifier. 
Thus the connection means may only maintain informa- 
tion on one responsible network server (i.e. dedicated 
site) for each type of request. It is also possible that the 
proxy server 13 analyzes the request and further distrib- 
utes the request to an appropriate network server. 
[0080] Further, the selection may be based on a net- 
work server identifier transmitted with the request, for 
example in case an application generating the request 
is configured to communicate with a predetermined net- 
work server. 

[0081] The selection may also be based on a data 
type requested. If for example a html document is de- 
sired, a http server could be selected. The selection may 
also be based on an application requested or on the 
identity of a user. 

[0082] The connection means 16 may directly ana- 
lyze the request from the client data processing device 
12, in order to determine an appropriate network server 
for handling the request. A network server could be di- 
rectly specified in the request or could be derivable from 
the request. 

[0083] For example, in case the request contains in- 
formation such as a URL of a particular document or an 
identifier of a particular e-mail account, the connection 
means could base the selection of the network server 
on this information. 

[0084] In brief, the selection of a network server may 
be based on at least one of the group consisting of 

a type of request, 

a network server identifier transmitted with the re- 
quest, 

a port number of a port at the client proxy means 
receiving the request, 

a data type requested, 

an application requested. 

[0085] Further, the connection means 1 6 is preferably 
responsible for establishing communication links be- 
tween the client proxy means 11 and an appropriate one 
of the network servers 151 , 152 and 153. The commu- 
nication link between the client proxy means 11 and the 



local server will be established through the data trans- 
mission link 1 8 provided between the client proxy means 
11 and the proxy server 13. This may involve mapping, 
i.e. assigning at least one port of the client proxy device 
5 11 to at least one port of the network servers, possibly 
in multiple steps. Preferably in a first step a port of the 
client proxy means 11 may be mapped to a port of the 
proxy server 13. In a second step the port of the proxy 
server 1 3 may be mapped to a port of the selected local 
10 server. This may include instructing the proxy server 1 3 
to perform the required assignment with a mapping 
message from the connection means 1 6. The connec- 
tion means may further authorize the selected network 
server to serve the request. 
15 [0086] In order to establish the communication link the 
connection means may include sub-connection means 
for mapping at least one port of at least one of the net- 
work servers 151, 152 and 153 to at least one port of 
the client proxy means 1 3. The sub-connection means 
20 may be located at the client proxy means and/or at the 
proxy server. For example, port 11a of the client proxy 
means for receiving e.g. http-requests from the browser 
1 21 , may be mapped to port 1 51 a of the network server 
1 51 and/or port 1 52a of the network server 1 52, assum- 
es ing that ports 151a and 152a are http ports. The other 
ports may be mapped similarly- It is noted that this is an 
example only, further ports at the network servers or at 
further network servers may be provided. 
[0087] The connection means may also comprise a 
30 further sub-connection means for mapping at least one 
port of the proxy server 13 to at least one port of the 
client proxy means 1 1 . 

[0088] The information on establishing the data trans- 
mission link 18 between the client proxy means 11 and 

35 the proxy server 13, and the information for facilitating 
a selection of one of the available network servers at the 
local area network 14 and establishing the communica- 
tion link between the client proxy means 11 and the se- 
lected local server could also be stored in a memory as 

40 mapping rules which are retrieved by the connection 
means 16 upon receiving a request at the client data 
processing means 11. 

[0089] Thus, the connection means may be arranged 
to select one of the network servers and to retrieve cor- 

45 responding mapping rules, for example including infor- 
mation on establishing a secure transmission link to the 
destination proxy server. This may include information 
on configuring the client proxy means and/or the proxy 
server in accordance with the request received, in es- 

50 tablishing the transmission link to the proxy server 
based on the transmission medium to be used, e.g. a 
public network, and the specific configuration of the 
proxy server of the local area network 1 4. Therefore, the 
rules may include information on the type of transmis- 

55 sion link to be established to the proxy server 1 3, and/ 
or the communication type requested, and/or the re- 
quired configuration of the client proxy means 11, the 
configuration of the proxy server 13 and similar. 
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